Exploit on the 'net that brings down Sygate?

Discussion in 'other firewalls' started by Pikachu762, May 19, 2004.

Thread Status:
Not open for further replies.
  1. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    Hi everyone,

    I posted about Sygate crashing in the PG forum a couple days ago, thinking it was somehow related to PG, or that PG could stop the crashes and failures.

    But now I'm thinking that there is a exploit out there that will bring down Sygate. I am finding that SPF is crashing only when this bad inbound traffic is occuring. Many times it blocks incoming stuff, but fairly often my firewall will die without warning. These bad packets are hitting me on a variety of ports, but 5000 seems to be the most commonly used. 0, 80, and 113 are also used fairly often. The remote ports from which the connection attepts originate are high-numbered.

    I have seen .dll requesters pop up, asking for permission, and within seconds of their appearance, they disappear again, and the Sygate program is no longer running. The icon for SPF remains in the lower right, but it goes away if I move the mouse pointer over it. Yesterday this happened twice in a row, in rapid succession. (The request was something about a remote initiated connection attempt to load .dll files relating to Windows help).

    Here is some info from my event log. Most of this I don't really understand, but perhaps it has something to do with SPF crashing all the time. Maybe there isn't an exploit out there, but I have a misconfiguration on my machine.

    In the System log, there is an entry from today saying the Service Control Manager is giving me an Error, and the Event ID is 7034. It says "The Sygate Personal FIrewall service terminated unexpectedly. It has done this 2 time(s)." I've tried looking around a bit, but I haven't found anything that explains what Event ID 7034 is, and WHY Sygate is crashing.

    The Event Viewer for this System log entry says a file named netevent.dll is involved, version 5.1.2600.0

    In my Security log, there are a few entries I also don't understand. These entries were created shortly after I logged on, before connecting to the net.

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Policy Change
    Event ID: 615
    Date: 5/19/2004
    Time: 5:56:00 PM
    User: NT AUTHORITY\NETWORK SERVICE
    Computer: POOP1
    Description:
    IPSec Services: IPSec Services failed to get the complete list of network interfaces on the machine. This can be a potential security hazard to the machine since some of the network interfaces may not get the protection as desired by the applied IPSec filters. Please run IPSec monitor snap-in to further diagnose the problem.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Policy Change
    Event ID: 615
    Date: 5/19/2004
    Time: 5:56:01 PM
    User: NT AUTHORITY\NETWORK SERVICE
    Computer: POOP1
    Description:
    IPSec Services: IPSec Services failed to initialize RPC server with error code: The authentication service is unknown.
    . IPSec Services could not be started.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 680
    Date: 5/19/2004
    Time: 5:56:01 PM
    User: NT AUTHORITY\SYSTEM
    Computer: POOP1
    Description:
    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon account: (***myname***)
    Source Workstation: POOP1
    Error Code: 0xC000006A

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 5/19/2004
    Time: 5:56:01 PM
    User: NT AUTHORITY\SYSTEM
    Computer: POOP1
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: (***myname***)
    Domain: POOP1
    Logon Type: 2
    Logon Process: Advapi
    Authentication Package: Negotiate
    Workstation Name: POOP1

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    (Why the heck is this appearingo_O I didn't make a mistake when I typed in my password, I just typed it once and logged right in....)

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 680
    Date: 5/19/2004
    Time: 5:56:01 PM
    User: NT AUTHORITY\SYSTEM
    Computer: POOP1
    Description:
    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon account: (***myname***)
    Source Workstation: POOP1
    Error Code: 0xC000006A


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    And finally, we have my successful logon entry...

    Event Type: Success Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 528
    Date: 5/19/2004
    Time: 5:56:11 PM
    User: POOP1\(***myname***)
    Computer: POOP1
    Description:
    Successful Logon:
    User Name: (***myname***)
    Domain: POOP1
    Logon ID: (0x0,0xDB75)
    Logon Type: 2
    Logon Process: User32
    Authentication Package: Negotiate
    Workstation Name: POOP1
    Logon GUID: {00000000-0000-0000-0000-000000000000}

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    I don't have other computers or routers involved at home. I am connecting to the 'net through a dialup. I am also running TDS-3, PG, port explorer, AntiVir, and Opera 7.50 when I'm online.
     
  2. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Quick question here: Have you posted about this issue in the Sygate forums at http://forums.sygate.com/vb/forumdisplay.php?forumid=6 . I just looked rather quickly and didn't see anything that seemed to be this issue. And I would think that Sygate might like to know.
     
  3. Pikachu762

    Pikachu762 Registered Member

    Joined:
    Jan 31, 2004
    Posts:
    41
    I just posted this on the Sygate forum for SPF free. I hope someone can tell me what's going on with my machine. Something is clearly not right, given the log entries I'm getting and SPF crashing all the time.

    This is frustrating....
     
  4. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    I suspect it may be worse than 'frustrating'.

    I just wanted to encourage you to post over there, so they'd know. I'd seen a vague reference to something very similar in one of the NNTP newsgroups a few days ago, so after seeing your post here, I went over there and didn't immediately see anything.

    Sometimes, it just takes one person to get the ball rolling and you may end up with a dozen others chiming in. I had an earlier version of SPF running on a machine here, but we just took it off last week, so I couldn't take a look at it myself.

    Keep tracking this thread, also. Someone may show up eventually with some helpful ideas.
     
  5. yo yo

    yo yo Guest

    open syge personal firewall...click on TOOLS then click OPTIONS click on
    SECURITY make sure you sceck the box that says BLOCK ALL TRAFFIC WHEN SERVICE IS NOT LOADED... this option prevents hackers and their trojans from gaining access to your system if sygate crashes.until sygate comes out with a newer version i still believe sygate personal firewall is the best software firewall solution on the market today period.
     
  6. Delgado

    Delgado Registered Member

    Joined:
    Apr 28, 2004
    Posts:
    131
    I always used to use Sygate Personal Firewall, but since going Broadband have been unable to do so. I am on Tiscali Broadband, using a Sagem ADSL Box, and I have tried all versions of Sygate, but all suddenly crash and switch off for no reason. I am now using Zone Alarm.
     
  7. dread

    dread Registered Member

    Joined:
    May 18, 2004
    Posts:
    195
    There probally is one for sygate, I wouldnt doubt it. I know there is alot for zone alarm, never looked into it or paid attention to it until one day I went to a website and the site totally killed zone alarm. And I do mean kill. I uninstalled deleted the folders and ran a regestry cleaner reinstalled it and still no go thats when I trashed zone alarm. Dont know if they fixed it or not, but they will make exploits for the more well known firewalls, sygate, zonealarm, kerio, norton etc... Just hope the firewall compainies are patching/fixing the problems.
     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas

    Don't most antivirus, firewall, etc apps have an option to password protect the program?

    If "something" tries to modify or take over the app, your password window should pop up.

    Any insight?
     
  9. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    I've not heard of any anti-virus utility doing this and while some firewalls do offer the ability to password-protect their configuration, this is to protect against it being modified by others rather than as a means of trojan defence (a utility like Process Guard would be needed for this). Such a feature is overdue though - and any such password window needs to use "OCR-proof" techniques to verify that it is a real human rather than a sophisticated trojan responding (again, Process Guard has a good implementation of this).

    If Sygate is being terminated by suspect packets, one option could be to use a packet sniffer like Ethereal to capture those packets for further inspection. Ideally, if you had a second machine, you could use it to "replay" the capture frame-by-frame allowing you to identify the exact packet responsible - but Ethereal does not offer this facility (although TCPReplay could do this if you have a Linux system handy).
     
  10. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Most of the AV apps I know of use password protection. Sygate Pro also has an " ask for password before exitting option. I don't think the free version has this option though. Sounds like you have some type of trojan or something bradcasting your address. You said you are using a dial up connection, so your IP address should change each time you sign on and yet they are still finding you. Which programs do you allow server rights to?
     
  11. Denim

    Denim Registered Member

    Joined:
    Apr 2, 2004
    Posts:
    20
    I to am running Sygate Personal Firwall. And b4 the new came out at the first of this month, yes there Was a Major Exploit in the 5.5 version build2555. Sygate Was aware of this Issue as they did adress it on their website http://www.sygate.com/alerts/SSR20040616-0001.htm as well as in their newsletters . BTW if you sign up for their free news letters they do send you the updates right to your inbox.
    I was getting a lot of hits by some hacker that went by the name RIPE And his IP addy Stated , "that the whole world is my Email Address So get over it .
    I found this out by doing a backtrace to see where the source of the hits were coming from . And I dropped a Line to the techs. And I guess Sygate was on the job like they Always are , 3 or 4 days later I get their News letter from them , Stating that there were vounerablities in their 2555 build and a link to the site with the New 5577 build. I uninstalled the Old one, and reinstalled the new one and Since then , the Only hits I have been getting are either from my ISP server (I'm on dial up here ) or From Sygate themselves when I do my security checks there at their site.
    But when you start getting a Lot of critical hits like that or it is not letting you acessess somewhere Check down in your task bar next to your clock and see if the icon is flashing Red if so click on it and then right click on the IP addy you see there then left click on backtrack then highlight one of the Ip Addy's in the back trace log and then click the Who is button and that will tell you Exactally Who is Scanning you system and where it is coming from . And if it looks bad enuff , Just ask Sygate, how you make a copy of the Log, after telling them about it. To turn over to the F.B.I or your I.S.P server , for further investigation.
    But I love my sygate, as they are the BEST FREE Firewall out there , and to this date that that I know of Havent never been hacked thru yet !!. But that is just my 2 cents is all.

    Oh as as far, as knocking them off the Net , no it did NOT do that ,as they are always one step ahead of the Game. :)
    And for all of you wireless users, Yes they do have New updates and stuff for yall to.

    I hoped I helped :)
    :) Denim :)
     
  12. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Forget the FBI - they will only consider cases where more than $5,000 worth of damage has been done. The originating ISP may be a better bet - but you need to have full details of the traffic involved with accurate times (i.e. make sure your PCs clock has been synchronised with a timeserver). Even then, odds are that there will be no response.

    For most people, a better solution is to submit firewall logs to groups like DShield.org or MyNetWatchman.
     
  13. Hyperion

    Hyperion Registered Member

    Joined:
    Sep 29, 2003
    Posts:
    302
    Sygate free has password protection for accessing the control panel and there is also the option to ask the password when exiting.What the free version doesn't have is the "Block internet traffic when the firewall isn't loaded" feature.
     
Thread Status:
Not open for further replies.